Bug #58816
closed
Response Splitting Vulnerability
100%
Description
TYPO3 4.7.18 is vulnerable to Response Splitting (http://en.wikipedia.org/wiki/HTTP_response_splitting)
A recent security audit on our installed customer systems discovered a Response Splitting vulnerability that can be triggered via the redirect_url paramater used by the felogin extension.
The request:
curl -i http://localhost/ --data 'logintype=login&pass=g00dPa%24%24w0rD&pid=0&redirect_url=%0d%0aSomeCustomInjectedHeader:injected&submit=Anmelden&tx_felogin_pi1%5bnoredirect%5d=0&user=wwibephd'
The Response headers:
---------------------
HTTP/1.1 303 See Other
Date: Wed, 14 May 2014 14:06:25 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: http://localhost/
SomeCustomInjectedHeader:injected
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
---------------------
This issue should be fixed in the redirect utility method inside of class.t3lib_utility_http.php inside of the function redirect Line 96.
- header('Location: ' . t3lib_div::locationHeaderUrl($url));
+ header('Location: ' . rawurlencode(t3lib_div::locationHeaderUrl($url)));
The fix should be ported to the other TYPO3 version that are currently supported.
Updated by Markus Klein almost 10 years ago
- Project changed from TYPO3 Core to 1716
Updated by Nicole Cordes almost 10 years ago
Just tested with TYPO3 4.5 and PHP 5.3
REQUEST: ******
POST http://typo3-4-5.local HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 10.36.10.5
Accept: */*
Content-Length:159
logintype=login&pass=g00dPa%24%24w0rD&pid=0&redirect_url=%0d%0aSomeCustomInjectedHeader:injected&submit=Anmelden&tx_felogin_pi1%5bnoredirect%5d=0&user=wwibephd
RESPONSE: ******
HTTP/1.1 200 OK
Date: Thu, 15 May 2014 12:40:21 GMT
Server: Apache/2.2.26 (Win32) PHP/5.3.7
X-Powered-By: PHP/5.3.7
Set-Cookie: fe_typo_user=498ff7037501c1f0b66e448eb41ee8e2; path=/
Last-Modified: Mon, 02 Aug 2010 11:10:03 GMT
Expires: Fri, 16 May 2014 00:40:21 GMT
ETag: "5b30c448d52edea405081000b6edc5e5"
Cache-Control: max-age=43200
Pragma: public
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Updated by Oliver Hader almost 10 years ago
Could not reproduce with PHP 5.3.28. Any string containing CR/LF and passed to PHP's header() method is just not outputted.
However, I'm wondering why FrontendLoginController::validateRedirectUrl() is not catching the invalid return URL...
Updated by Helmut Hummel almost 10 years ago
- Project changed from 1716 to TYPO3 Core
- Status changed from New to Closed
This is not possible with PHP versions > 5.1.3 (see http://de2.php.net/manual/en/function.header.php)
Response by mail from Sven Carstens by mail:
this seems to be a false positive, as the required injection of %0d%0a%0d%0a to split the headers does in fact fail.
Updated by Helmut Hummel almost 10 years ago
- Project changed from TYPO3 Core to 1716
Updated by Helmut Hummel almost 10 years ago
- Project changed from 1716 to TYPO3 Core
Updated by Gerrit Code Review over 8 years ago
- Status changed from Closed to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44898
Updated by Gerrit Code Review over 8 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44898
Updated by Helmut Hummel over 8 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 49ffef2579a7814c75415b31fbce4421849169f8.
Updated by Gerrit Code Review over 8 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/44900
Updated by Helmut Hummel over 8 years ago
- Status changed from Under Review to Resolved
Applied in changeset 16012623c0c4916e656a97a6f401fd11fb837441.
Updated by